GRC Implementation Success, Part 1: Implementation Success is GRC Success

DoubleCheck Software presents GRC Implementation Success, a guest blog series by Blue Hill Research Principal Analyst David Houlihan. This series draws on five years of Blue Hill studies in GRC in order to highlight key lessons for purchasing and implementing GRC software.

Part 1 of this series examines why implementation success is a key factor in the overall success or failure of an organization’s GRC investment.

Any enterprise software purchase is a risk. At the most basic level, it is a bet that the money spent on new tools and capabilities will result in a payoff in the ability to do something better, faster, or cheaper. In most business cases, this bet is articulated in simple terms: “If we start using X, then we will get benefit Y.”

The reality, of course, is less cut and dry. A wide variety of factors contribute to the value an organization realizes (or fails to realize) from a technology investment. The most significant factor is also the most obvious: how much did it cost the organization to put the technology in place.  An investment with relatively little impact can be a success if the cost is low enough, just as a huge benefit can be negated if the cost to implement it was high enough. This is why return on investment (ROI) is such a potent indicator of success.

Charting Implementation Success and Failure

This is as true of investments in governance, risk, and compliance platforms (GRC) as it is any other enterprise technology. However, the degree to which GRC investment is based on indirect value propositions means that the cost and difficulty of implementation possess enhanced importance in determining organizational value and satisfaction. To this end: Blue Hill’s Contributors to GRC Implementation Success: Avoiding the Worst-Case Scenario benchmark report showed a clear correlation between shorter, less expensive implementation cycles (“the best case”) with ultimate business and user impact than those benchmarked as the most costly and time-sensitive.

Table: Profiles of Best Case and Worst Case Implementations

Screen Shot 2017-08-14 at 1.23.23 PM

As with all enterprise application investments, GRC implementation is complex. It can require significant process change, integration with the existing enterprise ecosystem, and solution tailoring to fit organizational needs. Where these factors are poorly managed, the consequences can be dramatic. In just a few failed implementations examined by Blue Hill, those consequences have included:

  • Implementation cycles that run a year or more over schedule
  • Budgets that ballooned multiple times over the initial estimate (often due to unforeseen consulting labor)
  • Abandonment of the investment mid-implementation

Even where the implementation project is completed, poor planning and management can result in user abandonment due to gaps in the solution or inflexibility in the environment that fails to accommodate inevitable changes in standards or business processes.

Planning and preparation make the critical difference to implementation success. To this end, Blue Hill found that factors such as solution architecture, data model, and vendor pricing and service strategies (while factors) were not strongly correlated to the length and cost of an implementation. The failure to assess, consider, or plan for these factors was much more important. By contrast, a recent case study involving KBR, Inc.’s implementation of DoubleCheck GRC for SOX compliance management demonstrates how a well-considered evaluation of business requirements that drives solution evaluation and implementation from the beginning can yield a complex GRC rollout, completed in under eight months from inception to rollout.

The Relationship Between Implementation Success and Investment Success

These differences in implementation experience can result in tremendous differences to the time-to-value, overall lifetime value, and ROI, where the impact of the investment is otherwise the same.

To illustrate this point, assume that a GRC investment contributes $125,000 in savings for every quarter that the organization uses the platform ($500,000 annually). Now, compare the first three years of that investment under Blue Hill’s Worst Case scenario with a Best Case scenario. Using the mid-point values in Blue Hill’s data, the Worst Case scenario costs the organization $637,500 and takes 13.5 months to deploy. The Best Case scenario takes 3.5 months to deploy and costs $127,500. Ignoring maintenance fees and other factors for simplicity, we can map the differences in experiences. At the end of the three year cycle, the Best Case scenario has yielded $1.2 million dollars in value, while the Worst Case scenario has yielded $300,000 (a difference of 308%).

Figure: Impact of GRC Over Three Years in Best Case and Worst Case Scenarios 

Screen Shot 2017-08-14 at 1.24.40 PM

While a simple illustration, the difference between these two scenarios works to show the range of experiences that can follow a GRC implementation, based on the implementation. As this series continues, we’ll look at the primary factors that Blue Hill’s research has found to influence the time and effort involved in the implementation process itself.

Next, we look at: GRC’s role and value contributions to the business.

About David Houlihan, Esq.

David Houlihan researches enterprise risk management, compliance and policy management, and legal technology. He is an experienced advisor in legal and technology fields with a unique understanding of complex information environments and business legal needs.
Posted on November 10, 2017 by David Houlihan, Esq.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Latest Blog

NEWS: AOTMP Acquires Blue Hill Research Very Enterprising Tech Trends for 2018 - Mobile & More! Managing Today’s Mobile Projects - Part 3: Successful Deployments – Setting Goals & Measuring Results

Topics of Interest

Advanced Analytics

AI

Analytics

Anodot

Attunity

authentication

BI

Big Data

Blog

Business Intelligence

Cloud

Cognitive Computing

Corporate Payments

Data Management

Data Preparation

Data Wrangling

DataKitchen

DataOps

DataRobot

design

design thinking

Domo

Emerging Tech

enterprise applications

Enterprise Performance Management

enterprise video

fog computing

General Industry

GoodData

GRC

Hadoop World

Human Resources

IBM

IBM Interconnect

Iguazio

ILTACON

Informatica

Information Builders

innovation

Internet of Things

IoT

knowledge

legacy IT

Legal

Legal Tech

Log Data

Machine Learning

Managed Mobility Services

Microsoft

Mobile Managed Services

Mobility

Nexla

Order-to-Cash

passwords

Pentaho

Podcast

Predictive Analytics

Private Equity

Procure-to-Pay

Qubole

Questioning Authority

Recurring Revenue

Risk Management

ROI

Sales Enablement

Salesforce

Security

service desk

Social Media

Strata

Striim

Supply Chain Finance

Switchboard Software

Tableau

Talend

Tangoe

Telecom Expense Management

Time-to-Value

Trifacta

TWIDO

Unified Communications

usability

USER Applications

User Experience

User Interface

video platform

Virtualization

Visualization

Wearable Tech

Yellowfin